[csswg-drafts] [css-env-1] Avoid fingerprinting using environment variables (#5905) from Sebastian Zartner via GitHub on 2021-01-27 (public-css-archive@w3.org from January 2021)

From: Sebastian Zartner via GitHub <sysbot+gh@w3.org>
Date: Wed, 27 Jan 2021 22:20:30 +0000
To: public-css-archive@w3.org
Message-ID: <issues.opened-795490442-1611786029-sysbot+gh@w3.org>

SebastianZ has just created a new issue for https://github.com/w3c/csswg-drafts:

== [css-env-1] Avoid fingerprinting using environment variables ==
With exposing different environment variables comes the risk of being able to identify the user agent, operating system, or device being used.

E.g. by analyzing the different values of the `safe-area-inset-*` variables, someone can draw conclusions to which device is used as some devices have specific values for them.

Similarily, if the device's body color (#5826) or a user agent's accent color (#5900) are exposed as environment variables, those could be used to identify the device or user agent used.

I'm not sure whether there is actually a way to completely avoid fingerprinting, though it should at least be mitigated in some way. One way would be to not expose their values directly, e.g. by computing the `env()` function to itself.

In the end, there also needs to be a privacy and security section outlining the possible fingerprinting risks.

This is also somewhat related to #2820.

Sebastian

Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5905 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 27 January 2021 22:20:31 UTC